[sssd]
services = nss, pam
config_file_version = 2
{% set sssd_openldap_domains = [] %}
{% for sssd_domain_info in hostvars[inventory_hostname].sssd_info.domains %}
{%- set sssd_openldap_domains = sssd_openldap_domains.append(sssd_domain_info.name) -%}
{% endfor %}
domains = {{ sssd_openldap_domains | join(',') }}

[nss]
filter_users=root,ldap
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

{% for sssd_domain_info in hostvars[inventory_hostname].sssd_info.domains %}
[domain/{{ sssd_domain_info.name }}]
use_fully_qualified_names = False
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
ldap_search_base = {{ sssd_main.app.authentik_ldap[sssd_domain_info.name | replace('.', '_') ].basedn }}
ldap_id_use_start_tls = False
ldap_uri = {{ sssd_main.app.authentik_ldap[sssd_domain_info.name | replace('.', '_') ].uri }}
ldap_default_bind_dn = {{ sssd_main.app.authentik_ldap[sssd_domain_info.name | replace('.', '_') ].binddn }}
ldap_default_authtok_type = obfuscated_password
#ldap_default_authtok =
ldap_tls_reqcert = allow
#ldap_tls_cacertdir = /tmp/ssl/
ldap_access_order = filter
ldap_user_search_filter = (|{%- for sssd_user_info in sssd_domain_info.users %}(cn={{ sssd_user_info.name }}){%- endfor %})
{% if not loop.last %}{{ '\n' }}{% endif %}
{% endfor %}